VPN tunnel negotiates but only when triggered from one side and IKE/IPSec SA delete request
Posted on 2012-08-25
I have made some big changes to our network infrastructure today as we are due to take over another floor in our building (we've only had one so far).
The relevant changes are the introduction of a Layer 3 switch (as we need to start using VLANs) and the switch from our SonicWall TZ190 to two SonicWall NSA200 (HA solution). The Layer 2 switches were replaced as well.
The SonicWall has got a virtual sub interface set up and assigned to the LAN interface (x0) - this is solely used for wireless.
The connectivity between the floors is fine, the connectivity within the network is fine - my only issue is one VLAN tunnel which initially didn't connect.
We are connecting to a Cisco firewall in a data centre in London via a VPN tunnel from our SonicWall.
This has worked until I changed it over today - all existing rules were copied so there shouldn't be a problem with those.
I tried to connect to the remote servers but a connection couldn't be established. There was only one attempt to establish the VPN tunnel in the log files
IKE responder received main mode request (Phase 1)
IKE responder: Main mode complete (Phase 1)
Received IPSec SA delete request
Received IKE SA delete request
No further attempts anymore after this initial one.
I have then connected to a computer in a remote office which has got a VPN tunnel to the remote firewall set up successfully and from there to our remote servers.
From the remote servers I pinged our internal network (a server in the office network that doesn't connect) and this has triggered the VPN tunnel negotiation as well as a successful connection. I can now RDP to the remote servers from the computers that couldn't previously connect.
 The tunnel has just dropped again after another IKE/IPSec delete request... [\edit]
[edit 2] I've just received the log file entry from our data centre hoster for the time of the disconnection. Keep alive is enabled in the VPN settings...
Aug 25 18:48:07 xxx: IP = 141.x,x,x, Keep-alives configured on but peer does not support keep-alives (type = None)
Aug 25 18:52:23 xxx: Group = 141.x.x.x, IP = 141.x.x.x, Connection terminated for peer 141.x.x.x. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.73.0, Local Proxy 192.168.128.0
Aug 25 18:54:57 xxx: Group = 141.x.x.x, Username = 141.x.x.x, IP = 141.x.x.x, Session disconnected. Session Type: IPsec, Duration: 0h:42m:51s, Bytes xmt: 146067, Bytes rcv: 227970, Reason: Idle Timeout
Aug 25 18:54:57 xxx: Group = 141.x,x,x, IP = 141.x,x,x, Connection terminated for peer 141.x,x,x. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.73.0, Local Proxy 192.168.129.128
There's obviously something wrong but what?
Please let me know what more info you require and I'll post it for you.